Security vendor Cofense has seen a significant increase in finance-based phishing attacks in the last three months. The phishing emails purport to come from major banks and Her Majesty’s Revenue and Customs (HMRC). As such, nothing here is new. In fact, from HMRC’s perspective, the rise in emails is embarrassing. It has run several high profile campaigns to stop these emails getting through.
As with all phishing attacks, once the emails are opened they being installing malware on the target computer. The attackers are after access to the bank accounts and financial data of their victims.
The details of the attacks appear in a blog by Mollie Holleman. What is interesting is that this is not about individuals but attacks against corporate targets. In the blog Holleman writes: “Almost all the emails reference supposed payments, financial advice, or account information—often for corporate accounts.”
Holleman also mentions the increased skill and care taken with the targeting of the phishing campaigns. Many of the attacks are targeted at those the attackers believe have access to corporate bank accounts. For larger organisations this will be senior people inside accounting teams. For smaller companies, this could be anyone in an admin position.
The websites are also getting much harder to differentiate from the real ones. In addition the emails use a range of techniques from invoice details to information about how to access accounts. One irony called out by Holleman is the addition of security tips and warning in the emails.
What malware is Cofense seeing?
There are no surprises when it comes to the malware families that Cofense is seeing. Top of the list is Trickbot, a well established banking malware. This is a piece of malware that is well maintained and targets multiple financial institutions. Cofense is also seeing attacks using commodity malware such as Pony and Loki Bot.
One interesting twist in the malware used is that it also includes attacks against cryptocurrency wallets. This may be because the attacks are focused on individuals who have commented on cryptocurrency sites. It may also be due to the growth in enterprises buying and holding cryptocurrencies in order to pay ransomware and other attacks.
What does this mean
Phishing attacks continue to be effective against organisations. There is increasing professionalism from the attackers. Poor spelling and bad grammar are becoming things of the past. When users do click on a link they are taken to a website where it can be difficult to tell the fake from the real thing. Attackers are also quick to respond to new opportunities. HMRC announcing changes to tax law inevitably leads to a rash of phishing emails.
Phishing attacks such as CEO Fraud or Business Email Compromise exploit poor or overly complex corporate processes. Organisations need to start reviewing how they operate by thinking like an attacker. Better training for users is one solution. Another is gamification to teach users how to spot phishing and other attacks.
However, training users and gamification can only go so far when it comes to protecting a business. One of the biggest challenges for organisations is ensuring that users are paying attention to the emails they open. Shift training to a new attack and an old one reappears and catches everyone out.